[nycbug-talk] ipsec-tools racoon with Cisco VPN client...

Dru dlavigne6 at sympatico.ca
Thu Feb 1 13:30:00 EST 2007 

Sounds like they aren't agreeing on policy. What's the config at the Cisco 
end?

Dru


On Thu, 1 Feb 2007, Evgueni Tzvetanov wrote:

> Hi all,
>
> I have compiled ipsec-tools-0.6.6. I have
> the VPN working and it is pretty good, but I have a
> problem connecting from a Cisco VPN client to it.
>
> Please, any expert... I need a hint.
> I have set routing between all networks as needed.
>
> Here is my racoon setup script:
>
> ###### racoon configuration file
> #
> #
>
> path certificate "/etc/racoon/certs";
> path pre_shared_key "/etc/racoon/conf/psk.txt";
>
> remote anonymous {
>        exchange_mode aggressive;
>        certificate_type x509 "myhost.crt"
> "myhost.key";
>        xauth_login <some_id_in_psk.txt>
>        my_identifier asn1dn;
>        lifetime time 2147483 sec;
>        proposal_check obey;
>        generate_policy on;
>        nat_traversal on;
>        verify_cert off;
>        peers_certfile "cvpn.crt";
>        passive on;
>        proposal {
>                encryption_algorithm 3des;
>                hash_algorithm sha1;
>                authentication_method
> hybrid_rsa_server;
>                dh_group 2;
>        }
> }
>
> mode_cfg {
>        network4 192.168.34.0;
>        netmask4 255.255.255.0;
>        dns4 <dns_ip_here>;
> #        wins4 <wins_ip_here> (none);
> }
>
> sainfo anonymous {
>        pfs_group 2;
>        lifetime time 12 hour;
> #        encryption_algorithm 3des, rijndael;
>        encryption_algorithm 3des, blowfish 448,
> rijndael;
>        authentication_algorithm hmac_sha1, hmac_md5;
>        #authentication_algorithm hmac_md5;
>        compression_algorithm deflate;
> }
>
> ############## End of file ############
>
> Here is also some racoon log (multigroup
> authentication set on the Cisco VPN client):
>
> ======== snip ====================================
> Jan 30 13:14:49 somehost racoon: INFO:
> <some_network_ip_here>[4500] used as isakmp port
> (fd=10)
> Jan 30 13:14:49 somehost racoon: INFO:
> <same_network_ip_here>[4500] used for NAT-T
> Jan 30 13:14:49 somehost racoon: INFO: 127.0.0.1[500]
> used as isakmp port (fd=11)
> Jan 30 13:14:49 somehost racoon: INFO: 127.0.0.1[500]
> used for NAT-T
> Jan 30 13:14:49 somehost racoon: INFO: 127.0.0.1[4500]
> used as isakmp port (fd=12)
> Jan 30 13:14:49 somehost racoon: INFO: 127.0.0.1[4500]
> used for NAT-T
> Jan 30 13:14:49 somehost racoon: INFO:
> fe80::203:2dff:fe09:4f4%eth2[500] used as isakmp port
> (fd=13)
> Jan 30 13:14:49 somehost racoon: INFO:
> fe80::203:2dff:fe09:4f4%eth2[4500] used as isakmp port
> (fd=14)
> Jan 30 13:14:49 somehost racoon: INFO: ::1[500] used
> as isakmp port (fd=15)
> Jan 30 13:14:49 somehost racoon: INFO: ::1[4500] used
> as isakmp port (fd=16)
> Jan 30 13:15:46 somehost racoon: INFO: respond new
> phase 1 negotiation:
> <my_ip_here>[500]<=><peer_ip_here>[500]
> Jan 30 13:15:46 somehost racoon: INFO: begin
> Aggressive mode.
> Jan 30 13:15:46 somehost racoon: INFO: received Vendor
> ID: draft-ietf-ipsra-isakmp-xauth-06.txt
> Jan 30 13:15:46 somehost racoon: INFO: received Vendor
> ID: DPD
> Jan 30 13:15:46 somehost racoon: INFO: received broken
> Microsoft ID: FRAGMENTATION
> Jan 30 13:15:46 somehost racoon: INFO: received Vendor
> ID: draft-ietf-ipsec-nat-t-ike-02
> Jan 30 13:15:46 somehost racoon: INFO: received Vendor
> ID: CISCO-UNITY
> Jan 30 13:15:46 somehost racoon: INFO: Selected NAT-T
> version: draft-ietf-ipsec-nat-t-ike-02
> Jan 30 13:15:46 somehost racoon: INFO: Adding remote
> and local NAT-D payloads.
> Jan 30 13:15:46 somehost racoon: INFO: Hashing
> <peer_ip_here>[500] with algo #2
> Jan 30 13:15:46 somehost racoon: INFO: Hashing
> <my_ip_here>[500] with algo #2
> Jan 30 13:15:46 somehost racoon: ERROR: reject the
> packet, received unexpecting payload type 0.
> Jan 30 13:15:46 somehost racoon: ERROR: reject the
> packet, received unexpecting payload type 0.
> Jan 30 13:16:46 somehost racoon: ERROR: phase1
> negotiation failed due to time up.
> d323fbd4271cee91:019b13d5c189eefa
> ======== snip ====================================
>
> The Cisco VPN client log:
>
> ======== snip ====================================
> Peer supports DPD
>
> <<< so far the two ends were talking OK, but... >>>
>
> 181    13:39:28.968  01/30/07  Sev=Warning/3
> IKE/0xE300007B
> Failed to verify signature
>
> 182    13:39:28.968  01/30/07  Sev=Warning/2
> IKE/0xE3000099
> Failed to authenticate peer (Navigator:904)
>
> 183    13:39:28.968  01/30/07  Sev=Info/4
> IKE/0x63000013
> SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO)
> to <my_ip_here>
>
> 184    13:39:28.968  01/30/07  Sev=Info/4
> IKE/0x63000013
> SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to
> <my_ip_here>
>
> 185    13:39:28.968  01/30/07  Sev=Warning/2
> IKE/0xE30000A5
> Unexpected SW error occurred while processing
> Aggressive Mode negotiator:(Navigator:2237)
>
> 186    13:39:28.968  01/30/07  Sev=Info/4
> IKE/0x63000017
> Marking IKE SA for deletion
> (I_Cookie=D641B870710DE91E R_Cookie=230E0103188A17C3)
> reason = DEL_REASON_IKE_NEG_FAILED
>
> 187    13:39:29.875  01/30/07  Sev=Info/4
> IKE/0x6300004B
> Discarding IKE SA negotiation
> (I_Cookie=D641B870710DE91E R_Cookie=230E0103188A17C3)
> reason = DEL_REASON_IKE_NEG_FAILED
>
> 188    13:39:29.875  01/30/07  Sev=Info/4
> CM/0x63100014
> Unable to establish Phase 1 SA with server "<some IP
> here>" because of "DEL_REASON_IKE_NEG_FAILED"
>
> 189    13:39:29.875  01/30/07  Sev=Info/5
> CM/0x63100025
> Initializing CVPNDrv
>
> 190    13:39:29.875  01/30/07  Sev=Info/4
> IKE/0x63000001
> IKE received signal to terminate VPN connection
>
> 191    13:39:29.906  01/30/07  Sev=Info/4
> IPSEC/0x63700014
> Deleted all keys
>
> 192    13:39:29.906  01/30/07  Sev=Info/4
> IPSEC/0x63700014
> Deleted all keys
>
> 193    13:39:29.906  01/30/07  Sev=Info/4
> IPSEC/0x63700014
> Deleted all keys
>
> 194    13:39:29.906  01/30/07  Sev=Info/4
> IPSEC/0x6370000A
> IPSec driver successfully stopped
> ======== snip ====================================
>
> The pks.txt file is with 600 permissions and is in the
> right place. It contains the useername/password pairs
> in non-encrypted clean text format.
>
> When I use certificates it is even worse -- I only get
> the following line in racoon's logs:
>
> Jan 30 13:51:45 somehost racoon: ERROR: not acceptable
> Identity Protection mode
>
> Thanks in advance!
> ET
>
>
>
>
> ____________________________________________________________________________________
> Want to start your own business?
> Learn how on Yahoo! Small Business.
> http://smallbusiness.yahoo.com/r-index
> _______________________________________________
> % NYC*BUG talk mailing list
> http://lists.nycbug.org/mailman/listinfo/talk
> %Be sure to check out our Jobs and NYCBUG-announce lists
> %We meet the first Wednesday of the month
>

More information about the talk mailing list